Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: aa6qn@...
Subject: Re: Snort alert with Squid ?
Date: Mon, 7 Nov 2005 05:45:19 -0800 (PST)
Yesterday as a follow on, I unmerged the Gentoo Squid (2.5.11 Stable) and
installed Squid-3.0-PRE3-20051030 direct from Squid-cache.org. After that
my only trigger was a common false positive but no random web attacks as
produced by the Gentoo version.

I did record attemps from other Gentoo platforms (i.e. 
raptor.gentoo.osuosl.org) that had the same attack signatures probing my
server.

I did save one alert log from the Gentoo Squid build and here are some clips:
----------------------------
11/03-13:36:24.862442 192.168.1.12:36095 -> 160.227.20.8:80
TCP TTL:64 TOS:0x0 ID:26245 IpLen:20 DgmLen:740 DF
***AP*** Seq: 0xB9ED7061  Ack: 0x1D930248  Win: 0x1BB4  TcpLen: 32
TCP Options (3) => NOP NOP TS: 287314455 7254994
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-1376][Xref =>
http:/
/www.securityfocus.com/bid/2252]

[**] [1:1288:8] WEB-FRONTPAGE /_vti_bin/ access [**]
[Classification: access to a potentially vulnerable web application]
[Priority:
2]
11/03-13:36:24.862442 192.168.1.12:36095 -> 160.227.20.8:80
TCP TTL:64 TOS:0x0 ID:26245 IpLen:20 DgmLen:740 DF
***AP*** Seq: 0xB9ED7061  Ack: 0x1D930248  Win: 0x1BB4  TcpLen: 32
TCP Options (3) => NOP NOP TS: 287314455 7254994
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11032]

[**] [1:2515:9] WEB-MISC PCT Client_Hello overflow attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
11/03-13:36:59.036747 192.168.1.12:36106 -> 130.191.143.18:443
TCP TTL:64 TOS:0x0 ID:44644 IpLen:20 DgmLen:489 DF
***AP*** Seq: 0xBBD22A6D  Ack: 0xC6E36C0C  Win: 0x2118  TcpLen: 32
TCP Options (3) => NOP NOP TS: 287348635 430347512
[Xref =>
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx][Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0719][Xref =>
http://www.securityfocus.com/bid/10116]

[**] [1:972:8] WEB-IIS %2E-asp access [**]
[Classification: access to a potentially vulnerable web application]
[Priority: 2]
11/03-13:38:00.152634 192.168.1.12:36118 -> 63.93.242.137:80
TCP TTL:64 TOS:0x0 ID:35374 IpLen:20 DgmLen:829 DF
***AP*** Seq: 0xC0300C22  Ack: 0x156D63CD  Win: 0x16D0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0253][Xref =>
http://www.securityfocus.com/bid/1814]

[**] [1:1564:6] WEB-MISC login.htm access [**]
[Classification: access to a potentially vulnerable web application]
[Priority: 2]
11/03-18:02:09.890960 192.168.1.12:32790 -> 209.202.161.132:80
TCP TTL:64 TOS:0x0 ID:16648 IpLen:20 DgmLen:568 DF
***AP*** Seq: 0xB256AB50  Ack: 0x16654B17  Win: 0x16D0  TcpLen: 20
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-1533][Xref =>
http://www.securityfocus.com/bid/665]

[**] [1:895:7] WEB-CGI redirect access [**]
[Classification: Attempted Information Leak] [Priority: 2]
11/03-18:02:19.371472 192.168.1.12:32796 -> 207.46.225.221:80
TCP TTL:64 TOS:0x0 ID:40290 IpLen:20 DgmLen:525 DF
***AP*** Seq: 0xB3019639  Ack: 0x80329EEE  Win: 0x6C0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 4294840274 7096916
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2000-0382][Xref =>
http://www.securityfocus.com/bid/1179]

[**] [1:1333:6] WEB-ATTACKS id command attempt [**]
[Classification: Web Application Attack] [Priority: 1]
11/03-21:37:22.144594 192.168.1.12:33666 -> 63.208.226.65:80
TCP TTL:64 TOS:0x0 ID:61249 IpLen:20 DgmLen:1492 DF
***A**** Seq: 0xDEBFB8B8  Ack: 0xDC15FDA0  Win: 0x16D0  TcpLen: 20

[**] [1:1112:6] WEB-MISC http directory traversal [**]
[Classification: Attempted Information Leak] [Priority: 2]
11/03-21:43:43.650398 192.168.1.12:33728 -> 63.208.226.65:80
TCP TTL:64 TOS:0x0 ID:26729 IpLen:20 DgmLen:1492 DF
***A**** Seq: 0xF4A1B938  Ack: 0xE9F492C2  Win: 0x16D0  TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS298]

[**] [1:1054:7] WEB-MISC weblogic/tomcat .jsp view source attempt [**]
[Classification: Web Application Attack] [Priority: 1]
11/03-21:56:10.945244 192.168.1.12:33991 -> 208.254.3.160:80
TCP TTL:64 TOS:0x0 ID:56127 IpLen:20 DgmLen:679 DF
***AP*** Seq: 0x2581E951  Ack: 0xF243E594  Win: 0x5B4  TcpLen: 32
TCP Options (3) => NOP NOP TS: 13906685 185043937
[Xref => http://www.securityfocus.com/bid/2527]

[**] [1:1054:7] WEB-MISC weblogic/tomcat .jsp view source attempt [**]
[Classification: Web Application Attack] [Priority: 1]
11/03-21:56:12.087098 192.168.1.12:33992 -> 66.179.5.89:80
TCP TTL:64 TOS:0x0 ID:14281 IpLen:20 DgmLen:980 DF
***AP*** Seq: 0x25AB00D1  Ack: 0x8BAB936F  Win: 0x16D0  TcpLen: 20
[Xref => http://www.securityfocus.com/bid/2527]

There has been much more but that's is just some snips of the one alert
log that I did save. So far with the new Squid cache I do not get attack
signature triggers as with the Gentoo release.

I was trying Snortsam to control my iptables and have not really gotten it
to work. I will give the flexresp and oinkmaster suite a look. Thank you.

Best wishes, JohnF





-- 
gentoo-security@g.o mailing list


References:
Snort alert with Squid ?
-- aa6qn
Re: Snort alert with Squid ?
-- Brian G. Peterson
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Snort alert with Squid ?
Next by thread:
Re: Re: [gentoo-security] Snort alert with Squid ?
Previous by date:
Re: Re: [gentoo-security] Snort alert with Squid ?
Next by date:
Advice about security solution


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.